Serialized Object Found

Description

Object serialization allows transferring complex data structures over channels like HTTP. However, the presence of a serialized object within the application indicates potential vulnerabilities related to object deserialization. Deserialization of objects from untrusted sources can lead to various security risks, including remote code execution and data tampering.

Recommendation

To address the risk associated with serialized objects:

• Evaluate the necessity of deserializing objects from untrusted sources and minimize such dependencies wherever possible.
• Implement strict validation mechanisms to ensure that only trusted and properly formatted serialized objects are accepted.
• Consider using safer alternatives to object serialization, such as JSON or XML, which offer better security controls.
• Employ runtime protections and monitor for any anomalous deserialization activities that could indicate exploitation attempts.

References

• OWASP: Deserialization Cheat Sheet
• CWE-502
• OWASP 2021-A8

Related Issues

• Apache Tomcat Manager Login Found - Vulnerability
• Insecure Deserialization Remote Code Execution - Vulnerability
• Insecure Deserialization - Vulnerability
• Old/Backup Resource Found - Vulnerability

Tags:

Deserialization